Identity protection in the internet of things

Eve Maler of ForgeRock discusses the opportunities afforded by the Internet of Things and the possible identity perils that could be faced

Technology has paved the way for an era of almost limitless imagination and almost no technology in recent memory has done this more than the Internet of Things (IoT). A Web definition explains that in the IOT “everyday objects have network connectivity, allowing them to send and receive data.”

These days, it’s not too difficult to imagine a world where our garage door talks to our thermostat so it heats the house as soon as we come home; the door then talks to our TV to put on our favourite show and to our oven to pre-heat dinner.

The IOT is not just the stuff of science fiction. It’s here. And it’s evolving rapidly.

The Connected World Requires New Up-Close-and-Personal Privacy Protections

Safe to say, we’re in the midst of an IoT gold rush. By one estimate, companies plan to invest 7.3 trillion dollars – yes, that’s “trillion” with a T – in IOT by 2017. Companies are aggressively exploring new creative and collaborative IoT projects to gain a foothold in the market and make their businesses more competitive. Apple just made a splash with the launch of its watch, which can be used not only for fitness purposes but also for medical research as well.

As companies use the IoT to provide more personalised services, and collect more data about us along the way, people reasonably fear that their privacy may be compromised. IoT faces unique challenges in this respect because organisations will likely have natural access to users’ personal data in order to provide their services. For instance, owners of the Samsung Smart TV were shocked to learn that its voice recognition capabilities involved “spying” on the (possibly) sensitive information in their utterances. People therefore feel they may have very little power to control what information is sharable.

At the same time, the privacy experience we’re used to when we use websites – checking a box that indicates we agree to share our personal data with a site – simply won’t do in the case of IoT devices. Where is the checkbox on a smart light bulb? Even if a device comes with an app you can install on your iPhone, if the experts are right about how many IoT devices we’ll have in our lives compared to how many laptops, we’ll need another way to deal with privacy.

The Perils of IoT – and Possible Solutions

Modern IoT continues to be defined by complexity, which leaves it open to cybercriminals and privacy weaknesses. Many users and organisations, eagerly anticipating the touted benefits, set up IoT devices to receive benefits such as real-time alerts from Google Nest smoke alarms, enhanced understanding of sleep patterns from FitBit wearables and inventory management from industrial net-connected devices. And all of these devices empower them to have more control over their home life or business environment.

What users didn’t sign up for – or rather, what was embedded in the fine print they didn’t read! – are consumer insights and profiling, recorded usage patterns, and assessment and analysis of human behaviour, based on the data these devices are designed to collect.

To succeed, IoT protocols must provide a cohesive approach to identity relationship management that ensures the relationships between devices, people, and cloud services are properly built at the right moments; that they are based on fair agreements between the parties; and equally importantly, that they are torn down when the parties say so.

As more objects and appliances acquire the ability to “speak” to each other, we face the monumental task of ensuring that we can give people control of their personal data, even if that data is collected and managed in a thicket of millions of sensor- and device-enabled networks.

Think for a moment about how many light bulbs you have in your home. Do you want to manage access to each one individually, merely for yourself and your family members, never mind for every time you entertain guests? If we want the benefits of IoT rather than having to flip dumb wall switches, we’d better get to truly central data control — and fast.

Here’s another example of the importance of controlling our data: data collected in the cloud service associated with an Internet-connected dishwasher might reveal how often the inhabitants wash their dishes when they’re at home, when they have guests, or when they’re preparing food. The homeowners may want to manage access to the dishwasher as part of an aggregation of household “things,” while also managing various people who interact in that house as an aggregations of household “people.” If they sell the house, the owners will want to transfer the dishwasher and service over to the new owner, while still keeping control of the “people” data they’ve built up over time.

A standards organisation called the Kantara Initiative sponsors several efforts, including the Identities of Things Discussion Group and the User-Managed Access (UMA) Work Group, to build solutions to these challenges. UMA is a new protocol designed to give users a unified point of control for authorising access to personal data and services, regardless of where those resources live online. An everyday example: if Alice owns an IoT-enabled “connected car,” she could introduce it to her UMA-enabled online sharing dashboard, where she could set up a sharing preference that lets her son Jacob drive the car — but not gain access to the boot. And her dashboard could handle data from everything from kitchen appliances to all her lightbulbs.

The most practical way to build in privacy is to use consistent, well-vetted open standards and platforms that enable secure, user-consented connections among devices, services, and applications. Once consumers feel they have control over their information, we will truly see the full potential of all that this technology can offer.